This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.
| less than a minute read

Utah Likely to Enact State Privacy Legislation

The Utah state legislature has passed a comprehensive privacy act for the state that is similar to ones already enacted in California, Colorado, and Virginia. It is part of a wave of privacy rights efforts taking place worldwide that has started to creep across the US.  

The Utah legislation does not contain materially new or different obligations for US companies, but it evidences the increased attention to privacy as a legal right in the US.  It also underscores the need for US companies to understand and govern the data they hold -- often on behalf of their customers -- as a matter of operational fact.  

Why it Matters

The new breed of privacy laws that started in Europe and California in 2018 create obligations to safeguard personal data from many stakeholders. They apply equally to B2B companies as to B2C companies; indeed, many SMBs are subject to these laws via contract with their large corporate customers. Being ready to demonstrate privacy compliance and pass a security audit is increasingly part of the normal operational posture for SMBs.  

The UCPA's thresholds and provisions track closely with the Virginia Consumer Data Privacy Act. The primary threshold for a covered business whether a company makes more than $25 million in annual revenue, but those companies also have to hold personal data on 100,000 Utah consumers or derive 50% of revenue from selling the data of more than 25,000 consumers. The UCPA carries standard consumer rights, several exemptions, 45-day request response periods, a 30-day cure period and unique attorney general enforcement provisions that all take effect Dec. 31, 2023. The law does not include a private right action, provisions on "dark patterns" or the Global Privacy Control, or required data protection assessments.


data security and privacy, insights, hill_mitzi